[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Proposed Changes to RFC 3280

To: Paul Hoffman / VPNC <paul.hoffman@xxxxxxxx>
Subject: Re: Proposed Changes to RFC 3280
From: Massimiliano Pala <massimiliano.pala@xxxxxxxxx>
Date: Tue, 14 Dec 2004 12:18:21 +0100
Cc: ietf-pkix@xxxxxxx
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: Politecnico di Torino
References: <> <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Mozilla Thunderbird 0.9 (X11/20041103)

Paul Hoffman / VPNC wrote:
[...]

"Could", yes, but so far, we have not heard that this is a problem in current deployments.


This is true, anyway also you said it "Could" lead to problems, therefore
we should change this, I guess.

[...]

Maybe I'm misunderstanding the proposal, but it seems like this would cause *massive* problems for currently-deployed systems that expect and rely on the nextUpdate field.


I don't see these *massive* problems for applications here, indeed as
the ASN.1 states it is an OPTIONAL parameter, an application should
already check the existence of the field before relying on its value...
... I guess these are the basis for good code writing.

Moreover the nextUpdate field (as it is described) carries information
on the date by which the next CRL will be issued, anyway new revocation
data could be made available any time sooner... this means that if I want to
be sure about updated revocation data, I should look at the repository for
new CRLs, nevertheless what the nextUpdate filed value is.

I guess this is not a big change in current software. Indeed there are
examples of software which lets the user to decide when to check for new
CRLs (e.g. once per day).

Indeed the default behaviour for today CAs is to issue new CRLs as
soon as a certificate is revoked
That may be true for some systems, but it certainly isn't true for others.
 - why being forced to issue a new
CRL if no new data is indeed available ?
Because it is cheap for the CA to do.


This is true. My proposal wants to let CAs establish whether or not to put
the nextUpdate field into CRLs. This will obviously not touch currently
deployed policies (and applications) if the chosen behaviour is to put the
nextUpdate field into CRLs.

By stating the nextUpdate field as optional, I don't want to force CAs not
to use the field.

Please let me know if you have any new comments or objections to the
proposal.

--

Best Regards,

Massimiliano Pala

--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager]      massimiliano.pala@xxxxxxxxx
                                                Tel.:   +39 (0)11  564 7081
http://security.polito.it                       Fax:    +39   178  270 2077
                                                Mobile: +39 (0)347 7222 365

Politecnico di Torino (EuroPKI)
Certification Authority Informations:

Authority Access Point                                  http://ca.polito.it
Authority's Certificate:          http://ca.polito.it/ca_cert/en_index.html
Certificate Revocation List:              http://ca.polito.it/crl02/crl.crl
--o------------------------------------------------------------------------

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

References:
- Proposed Changes to RFC 3280
  - From: Massimiliano Pala
- Re: Proposed Changes to RFC 3280
  - From: Paul Hoffman / VPNC

Prev by Date: Draft-ietf-pkix-rfc2511bis-07
Next by Date: Re: SCVP 16 comments deadline
Previous by thread: Re: Proposed Changes to RFC 3280
Next by thread: RE: Proposed Changes to RFC 3280
Index(es):
- Date
- Thread